Events delivery delay

Hi everyone.

I'm posting my because someone may have the same issue.

Right now we have the following topology:

firewalls (syslog) -> connector appliance -> Logger -> ESM

All our devices get their time from out ntp server, so the timezone mismatch is discarded.

When we create an active channel on the connectors we can see the events arriving to the ESM, the issue is that the are more or less 5 hours late. We tried to fix it with the time correction feature, but the correction worked for 1.30 minute.

After that 1.30 minute it began to get bigger exponentially (1.30, 3 m , 9 m an so on) right now it continue growing, right now we can't use dashboards o correlation rules because we don't have those events in real time.

We think that maybe the device is waiting more events to agregate them but it is taken to much time.

Do you think that may be the issue?

we have a ticket with support but we would like to hear more points of view or may be someone who has the same issue and fix it.

Thanks in advance to everyone for your help.

Regards.

Alfonso.

Parents
  • Alfonso,

    Since your ESM gets the events from Logger you have to start your investigation there. Turn off time correction, since i believe it's just confusing the issue and open up a channel in ESM. Compare Manager Receipt time (when ESM received the event) with Agent Receipt Time (for events forwarded on by Logger this'll be when Logger received the event) with Device Receipt Time/End Time (usually the time the event happened).  If the Manager Receipt and the Agent Receipt times are more or less in line, then the problem occurs somewhere earlier in the flow and you have to go to Logger to investigate. If you find that there is a discrepancy between the Manager and the Agent receipt times (more than a few minutes), then it's likely that the forwarders on your logger are having problems keeping up with the flow.  Depending on the version of Logger you are running, there is a bug in 4.0 that results in lower EPS to the manager than the logger is truly capable of, see this KB article:https://arcsight.custhelp.com/cgi-bin/arcsight.cfg/php/enduser/std_adp.php?p_faqid=3454 (KB3454)

Reply
  • Alfonso,

    Since your ESM gets the events from Logger you have to start your investigation there. Turn off time correction, since i believe it's just confusing the issue and open up a channel in ESM. Compare Manager Receipt time (when ESM received the event) with Agent Receipt Time (for events forwarded on by Logger this'll be when Logger received the event) with Device Receipt Time/End Time (usually the time the event happened).  If the Manager Receipt and the Agent Receipt times are more or less in line, then the problem occurs somewhere earlier in the flow and you have to go to Logger to investigate. If you find that there is a discrepancy between the Manager and the Agent receipt times (more than a few minutes), then it's likely that the forwarders on your logger are having problems keeping up with the flow.  Depending on the version of Logger you are running, there is a bug in 4.0 that results in lower EPS to the manager than the logger is truly capable of, see this KB article:https://arcsight.custhelp.com/cgi-bin/arcsight.cfg/php/enduser/std_adp.php?p_faqid=3454 (KB3454)

Children
No Data